The garbage-collection implementation in Mozilla Firefox before
3.0.11, Thunderbird before 2.0.0.22, and SeaMonkey before 1.1.17 sets
an element's owner document to null in unspecified circumstances,
which allows remote attackers to execute arbitrary JavaScript with
chrome privileges via a crafted event handler, related to an incorrect
context for this event handler.